Security Basics mailing list archives

Re: why most sql injection is not occurred at mysql?

From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Tue, 23 Oct 2007 10:14:17 -0700

Annyo MontyRee,

Funny you mention this because in my experience I found more sql
injections in mysql websites. But as you mention it's not related to the
database but how it has been implemented inside the web application
or/and inside the stored proc.

As for MySQL, since there were no stored proc before version 5.0 it
removes that threat inside the stored proc in the older versions.
However, the thing is, most of developers rely on the magic quotes
function that might seem to reduce the problem in MySQL but is still
there when an integer parameter is used. The bottom line is they might
just be harder to find or require more energy to find them.

Here what I noticed with experience, depending of the languages used for
the web development the chances were higher to get SQL injection if it
was ASP, PHP or Perl. Why? Because the learning curve for those
languages is small and unfortunately most of the examples used for
database interaction (SELECT, UPDATE, etc...) in books and websites use
string concatenation for simplicity and space limitation. Also, PHP
didn't have any system of prepared statement until (relatively)
recently, so by design there was blind sql injection.

Now, if you ask me if in general a SQL injection is more dangerous in
MS-SQL or Oracle than MySQL. I'll say most definitely. MS-SQL and Oracle
are closer to the OS and have more powerful stored procs. But again,
MySQL has enough harmful functions to create as much damage than any
other DBMS and it takes only one good vulnerability to own the system...

My 2 cents,

Cheers

Francois

Hello, all.


A I know, sql injection itself has not relation with DataBase.  

Surely I have seen sql injection is occurred at mysql.
but in my short experience, most sql injection is occurred at ms-sql or oracle based not mysql.

I don't know why. 

Any idea?


Thanks for your help in advance.



_________________________________________________________________
나의 글로벌 인맥, Windows Live Space!  
http://www.spaces.live.com

Current thread:

why most sql injection is not occurred at mysql? MontyRee (Oct 23)
- Re: why most sql injection is not occurred at mysql? Brian Daniel Beck (Oct 23)
- Re: why most sql injection is not occurred at mysql? Francois Larouche (Oct 23)
  - Re: why most sql injection is not occurred at mysql? jam (Oct 23)
    - Re: why most sql injection is not occurred at mysql? Jedrzej Majko (Oct 25)